ANALYSIS OF 2016/17 INTERNAL AUDIT HIGH PRIORITY MANAGEMENT ACTIONS IN THE NHS

Transcription

1 ANALYSIS OF 2016/17 INTERNAL AUDIT HIGH PRIORITY MANAGEMENT ACTIONS IN THE NHS

2 Introduction The NHS continues to operate within a significantly challenging environment, and whilst the scale and depth of those challenges are well documented, pressure on the NHS is arguably greater than it has ever been. While NHS funding is rising in real terms, it is at a slower pace compared with historical trends, meaning that financial pressures remain and trusts continue to encounter deficits. Allied to this, reductions in funding in other governmental departments, notably local government and social care services, has further increased the pressure on the NHS to pick up the slack. Increases in service demand mean that trusts are operating at capacity levels and treating more people; this is putting pressure on waiting times and staff, which is compounded by growing patient expectations. Against this backdrop we have undertaken an analysis of all high priority management actions agreed with our internal audit NHS clients in 2016/17. This paper highlights what we, and our NHS clients, consider to be the most important matters to be addressed from the outcomes of our internal audit reviews and allows NHS organisations to gain an insight into those key themes arising.

3 3 Sector overview We agreed 436 high priority management actions across 86 healthcare clients. Those healthcare clients where we agreed high priority management actions are: NHS provider trusts 44 Clinical Commissioning Groups (CCGs) 32 Community Interest Companies (CICs) High priority management actions agreed As part of our approach to categorising internal audit findings, we agree low, medium and high priority management actions with clients. A high priority management action is agreed where there is a serious internal control or risk management issue and where immediate management attention is necessary. In analysing the outcomes, we have categorised agreed management actions into key themes and, for those more prevalent categories, provided further analysis through the use of sub-themes. We now analyse those agreed management actions across NHS providers, CCGs, and CICs.

4 4 NHS provider trusts In focusing solely on NHS providers, the graph below illustrates that the largest categories of high priority management actions related to HR and staffing, financial management and data quality. HR and staffing Financial management Data quality Governance and risk management Procurement 18 week referral to Treatment Estates IT Medical equipment Patient consent and duty of candour Incident management Safeguarding Patient property Capacity planning and management Other (%) Figure 1: areas of focus for high priority management actions agreed during 2016/17 with providers HR AND STAFFING 15 per cent of high priority management actions (54 actions out of 353) agreed with NHS providers related to HR and staffing. 5.5% Sickness absence 24% Agency staff 9% Safe staffing 13% Medical job planning 18.5% Starters and leavers 15% Rostering/rotas 15% Appraisals and training Figure 2: breakdown of high priority management actions agreed with providers relating to HR and staffing

5 5 Perhaps unsurprisingly, the majority of those management actions related to agency workers and in particular: the need to recruit permanent staff to reduce reliance on agency workers; ensuring physical evidence is in place to support verbal agreements and that processes for booking staff are robust and incorporate adequate authorisation procedures; ensuring consistent use of the Provider bank or the NHS Professionals platform; and enhancing procedures to ensure that hourly rates for agency staff are clear to managers at the time of booking. Ensuring effective control of agency spend is intrinsically linked to financial management (discussed below) and is an important element as providers seek to achieve financial health. Under measures established from 1 April 2016, all NHS trusts should be procuring agency staff through approved frameworks agreed with NHS Improvement and so any off framework procurement is considered to be non-compliant and any overrides have to be reported. i In light of rules to curb agency spending there is evidence demonstrating that trusts are reducing their outgoings in this area but effective workforce management such as being open to flexible working practices and encouraging professionals back into the service are increasingly important. The UK s decision to leave the EU is a further issue for the sector as there is already evidence that the number of EU nationals registering as nurses within the UK has reduced since the referendum result. The Immigration Bill will allow the UK to end EU rules on free movement, and while there have been reassurances that measures will allow the UK to continue attracting the brightest and the best ii there remains uncertainty as to how the Brexit negotiations will develop and what impact there will be on the sector. In ensuring effective ward management and safe staffing levels, rotas are of course essential. Management actions from our reviews focus upon ensuring rosters are published well in advance, are accessible, are used across wards and throughout the trust and are approved. There should also be suitable planning and review mechanisms to ensure employees do not work excessive hours, which is deemed unsafe. Nine per cent of staffing actions focused directly on safe staffing and in particular highlighted the need to ensure safe staffing levels are in place across the trust. Our reviews of starter and leaver processes highlighted the need for trusts to enhance their recruitment processes to ensure: all required pre-employment checks are completed, such as right to work in the UK, Disclosure and Barring Service (DBS) checks; there is adequate recording of qualifications; and staff leaver forms are processed within specified timescales to avoid overpayments.

6 6 FINANCIAL MANAGEMENT Following a period of funding reduction, there are some concerns within the sector that the NHS requires more funding to remain sustainable if it is to continue to deliver its current level of services. The NHS provider sector deficit has been cut from 2.4bn in 2015/16 to 791m in 2016/17, driven primarily by 3.1bn of savings and a reduction of 700m on agency and locum use spend. The NHS has been required to make substantial efficiency savings in recent years, however, NHS Improvement Chief Executive, Jim Mackey, has warned that despite successes in 2016/17 many of the gains were made from non-recurrent items which do not address the longer term financial sustainability of many providers. iii While 14 per cent of all high priority management actions agreed with NHS providers related to financial management, the majority of actions related specifically to cost improvement programmes (CIPs). Many of the actions related to strengthening the governance arrangements around CIPs, ensuring they are appropriately reviewed, costed and approved and supported by appropriate evidential documentation including risk and quality impact assessments. Successful CIPs bring about long-term transformational change and so as a minimum, it is important to ensure there are no planning gaps and that key project and action owners are assigned. 7% Debt management 12% Budgetary control and monitoring 29% CIP 12% Payments to staff 16% Authorisations and documentary evidence 24% Key financial controls Figure 3: breakdown of high priority management actions relating to financial management Robust financial controls are essential in maintaining effective budgetary management. High priority management actions were agreed regarding: the need for segregation of duties (between creation and approval); ensuring appropriate review of payments to ensure no duplicate or fraudulent payments have been made; ensuring verification for supplier bank detail amendments, and that details of any amendments/change forms are retained to facilitate review; and the identification of incorrect changes or overpayments. We have seen a number of actions agreed relating to payments to staff, where internal processes should be improved to prevent overpayments occurring, expenses policies need to be enforced, and where overpayments are identified timely action is needed to recover the funds. In maintaining financial management, it is paramount to ensure that any anticipated budget overspend is authorised by the relevant budget holder and members of the management team. The same is true for any amendments to authorised signatory limits, which must also be communicated through approved notification mechanisms. There should be appropriate challenge where budget variances occur and where spend is greater than budgeted, action plans should be in place and reported against.

7 7 DATA QUALITY Perhaps reflecting the highly regulated and prescribed environment of the NHS, 12 per cent of high priority management actions related to data quality. The need for enhanced data quality related to a number of areas including: the A&E four hour waiting target and recording patient arrival, seen time and discharge/transfer/ admission time; implementing data recording processes for patients who experience falls while in hospital; ensuring next of kin details are recorded on patient records; and that patient case notes contain all relevant information, such as any palliative care. This data is not only essential in providing quality care but also necessary for external reporting. Other data quality issues focused upon incomplete staff records, which contained missing or wrong information and ensuing staffing level data is accurate, which is important in identifying instances of low clinical supervision. There are clearly links with the HR high priority management actions we discussed previously and the cross reference signifies the importance of ensuring internal processes in this area are robust. In addition, we also identified the need to review key performance indicators to ensure they are appropriate and there is evidence of validation of reported data. The need for clearly defined and accessible standard operating procedures is paramount, as is appropriate review and check of recorded data, which is reported to senior management and used to trace performance but also to formulate strategic activities. GOVERNANCE AND RISK MANAGEMENT Sound governance is the cornerstone of an effective, well managed, service focused organisation and is vital in ensuring clear leadership and strategic direction. Trust senior management should be assured that internal structures and processes are appropriate and that vitally, risk management and internal control systems are robust. At eight per cent of all high priority management actions agreed with NHS providers, governance and risk management actions form a relatively significant proportion. Governance actions relate to: a lack of policies and procedures to guide expected/best practice or which are in place but not being adhered to; ensuring consistent approaches are adopted and that authorisation levels are clear and communicated; data sharing processes are documented; and committee terms of reference are updated and reflect actual activity and that overarching governance structures are documented and communicated. The Board Assurance Framework (BAF) brings together all of the relevant information on the risks to the board s strategic objectives. It is therefore essential that it remains fit for purpose to ensure the board has confidence that risks are being controlled effectively. Agreed actions relating to the BAF and risk register include: ensuring the risk register is reviewed throughout the year, in compliance with the risk management strategy; that commentary is included within the BAF so that risk direction of travel can be seen, progress against key actions documented and any slippage identified; there is a clear process for risks that need to be escalated to the corporate risk register and BAF; and the need to clearly articulate assurance sources against risks and identify assurance gaps.

8 8 PROCUREMENT AND ESTATES Procurement is clearly linked to service quality and expenditure and so it is important to get it right. We have agreed management actions regarding: the need for a thorough procurement strategy to be in place; the procurement process is complied with and appropriate authorisations are sought for all approvals; that expected performance levels are established and service level agreements in place; and that tender evaluation processes are clear. Other actions related to ensuring the contracts register is up to date and includes relevant information and the need to review contracts before they expire to ensure the trust is planning well. Management actions relating to the estate focused on health and safety, capital projects and sustainability. The estate strategy should be reviewed and updated to ensure it remains reflective of the needs of the trust and any backlog maintenance should be detailed and its impact (financial and clinical) should be explained. Sir Robert Naylor's independent review of property and estates called for the NHS, via Sustainability and Transformation Plans (STPs) to rapidly develop robust capital plans which are aligned with clinical strategies, maximise value for money (including land sales) and address backlog maintenance. iv While 325m capital investment over the course of the next three years is in place to develop local STPs, trusts must ensure their plans include robust business cases that are fully costed. 18 WEEK REFERRAL TO TREATMENT While the 18 week GP referral to treatment (RTT) target has been relaxed, we identified the need for trusts to: ensure the patient access policy is reviewed; a watching brief on waiting times is maintained and where backlogs occur they are dealt with by moving a patient to another consultant where this is possible; and that training on the RTT rules is undertaken to ensure staff understand what is required of them. IT With an estimated 200,000 computer infections in 74 countries, the WannaCry ransomware caused major outages in the NHS, affecting 47 NHS organisations. Perhaps not surprisingly, and even before the WannaCry malware hit, the majority of IT high priority management actions related to cyber security and the need for effective or enhanced controls in relation to privileged IT accounts, server vulnerabilities, disabling inactive user accounts, employee awareness and training, and compliance with the Cyber Essentials framework. In response, we have published a cyber security benchmarking report providing insight for the sector on what is an ever evolving and significant risk area. v MEDICAL EQUIPMENT Effective control of medical equipment and stocks must be maintained. Standard operating procedures detailing how stock should be managed should be in place, stock takes performed on a regular basis, with recording mechanisms in place so that spoilt/out of date items can be identified, and ensuring replacement plans are established is important for the effective management of medical equipment and therefore healthcare provision. DUTY OF CANDOUR AND INCIDENT MANAGEMENT Rooted in the recommendations of the Francis Inquiry vi, the need for a cultural shift for the NHS to be more open and transparent, is enforced by the Duty of Candour. In order to demonstrate compliance, trusts must ensure incidents are recorded timely and accurately, that documented information is of sufficient detail, and that information captured on software systems (for examples Ulysses) is aligned to Regulation 20. We have identified variances in the level of detail recorded and a lack of segregation of duties between the incident recorder and incident reviewer.

9 9 Where a serious incident has occurred there is a need to demonstrate lessons learnt and how improvement will be made moving forwards. A number of high priority management actions focused on the need for effective management of serious incident action plans and ensuring identified actions are appropriately implemented. SAFEGUARDING It is important to ensure that the systems in place for raising and monitoring safeguarding concerns are adequately designed to protect patients. Most of the safeguarding high priority management actions agreed with trusts related to training and ensuring full compliance. Where full or further safeguarding training has not taken place that ought to have been, there should be mechanisms in place to prevent that individual from working with adults and children. In addition, where there are separate systems in place for recording safeguarding concerns each of those systems must be reconciled so that an holistic view of safeguarding issues is known and that full information can be reported to trust board. Information should be reported frequently, ideally monthly, and where any action plans to address identified failings are in place, progress should be monitored so that any unachievable objectives within certain timescales are identified. PATIENT PROPERTY Three per cent of high priority management actions agreed with providers related to patient property. In particular: the need to ensure user acceptance of the patient property policy and ensuring it is up to date and easily accessible; ensuring consistent approaches to the protection of service user money and property are applied across all site locations and spot checks are undertaken to confirm consistency in approach; and ensuring staff are trained in the processes adopted. This could be via standalone training sessions or included as part of induction. CAPACITY PLANNING AND MANAGEMENT Capacity planning is essential for the effective and efficient delivery of healthcare and is vital in managing costs. The development of a strategic capacity plan, supported by a clear set of policies and procedures, helps trusts to plan better, enabling them to better meet demand. It is important as trusts prepare for full seven day working but also in managing beds and waiting times. To be fully effective, capacity planning should interlink with other planning processes, such as job planning and financial planning. OTHER MANAGEMENT ACTIONS Fewer in number were high priority management actions relating to the following clinical areas: the management of Patient Safety Alerts and implementation of robust processes for wards / departments to refer Section 117 patients for aftercare under the Mental Health Act; the need for staff to comply with policy relating to the correct temperature and secure storage of medicines and disseminating best practice through the use of learning and development sessions; ensuring effective and efficient discharge processes including the timely submission of discharge letters to GP practices; and clinical audit including the need for accessible standard operating procedures regarding the use of antibiotics.

10 10 Clinical commissioning groups Overall, we agreed fewer high priority management actions per audit with CCGs than provider trusts, reflecting in many respects the very different operational focus of those bodies. While 38 per cent of high priority management actions agreed with CCGs related to financial management, a correlation seen with NHS providers, no high priority management actions were agreed with CCGs relating to HR and staffing. This may be a reflection of the size and diversity of the staff population within provider organisations, and how in many respects CCGs are much smaller in organisational size. Financial management Continuing healthcare contract Collaboration/contracting/procurement Conflicts of interest Governance and risk management Outcomes based commissioning Patient pathways Primary care co-commissioning Other (%) Figure 4: areas of focus for high priority management actions agreed during 2016/17 with CCGs

11 11 FINANCIAL MANAGEMENT 7% Better Care Fund 10% Budgetary control and monitoring 43% QIPP 40% Payments Figure 5: breakdown of high priority management actions relating to financial management with CCGs A significant proportion of high priority management actions agreed related to financial planning and delivery and specifically quality, innovation, productivity and prevention (QIPP). Designed to bring about improvement in QIPP delivery and management, we agreed management actions relating to: improving the governance arrangements in place to ensure that schemes are developed, approved and delivered in preparation for commencement of the financial year; and that the governing body receives sufficient reporting information so that schemes not delivering anticipated savings, or having a negative variance, are identified and that schemes that hold further savings potential are considered. In terms of expenditure we identified the need for CCGs to maintain effective oversight of budgets, particularly in relation to social care payments agreed with local authorities. Actions were also agreed on addressing issues of GP overpayments and clarifying processes regarding out of hours GP payments. Significant financial pressures remain for CCGs. For those reporting deficits, ensuring accurate financial data from providers and working with them and other CCGs within the locality is increasingly important in ensuring sustainability, as is the need to explore the wider benefits of STPs designed to reduce cost pressures.

12 12 CONTINUING HEALTHCARE CONTRACT, PROCUREMENT AND COLLABORATION Reviews of continuing healthcare contracts (CHC) identified instances of CHC provider underperformance. There have been discrepancies between the hours of care paid for and those hours recorded as evidence and instances of service user reviews being overdue. It is important for service level agreements to be in place with providers and KPI targets to be monitored and reported upon to identify any issues arising. There were also instances where patients did not have contracts in place or were not signed and where care plans had not been developed. 14 per cent of high priority management actions agreed with CCGs related to collaboration, contracting and procurement. GOVERNANCE AND RISK MANAGEMENT In terms of governance, we agreed actions on improving committee terms of reference to strengthen internal processes and to ensure they suitably reflect activity. This helps ensure there is clarity in decision making during meetings and that limited resources are used effectively such as funding set aside for winter pressure commitments. Actions were also agreed on the need to develop strategies such as quality and safety strategies. In a similar theme to those actions agreed with NHS providers, actions with CCGs were agreed on the need to: enhance BAF processes, to ensure action owners are identified and control and assurance gaps are identified; and closely monitoring controls in place designed to rectify performance failures and identifying whether any assurances are required. CONFLICTS OF INTEREST Following NHS England s revised statutory guidance vii, an annual internal audit review on the management of conflicts of interest is mandatory for all CCGs. The revised statutory guidance also set out the need for CCGs to appoint a conflict of interest guardian and as part of our reviews we have highlighted the need for this requirement to be met. In addition, we agreed high priority management actions relating to: keeping the conflicts of interest register up to date by requiring individuals to complete and return their declarations when required and enforcing escalation procedures for those who fail to submit; and where potential conflicts of interest are identified, the approach taken is documented in board/committee minutes and that the requirement regarding conflicts of interest will be clearly stated within board/committee agendas.

13 13 OUTCOMES BASED COMMISSIONING, PATIENT PATHWAYS AND PRIMARY CARE CO-COMMISSIONING We agreed high priority management actions regarding the risks associated with: forming a commissioner/provider alliance to deliver outcomes based services, which is inherently an innovative and complex approach; the need for service continuity, as contracts come to an end but no agreement is reached on service provision after contracts have ceased; and where there is no evidential record of decision making featured within board/committee minutes. From the outset contracts should include clear target outcomes which are monitored through the use of KPIs. Actions were also agreed to ensure cross-sector patient pathways are operating as intended, that service KPIs are agreed and that adequate reporting takes place. Where there is a lack of reported KPI and data, CCGs are not able to review service quality comprehensively. In line with NHS England s Next steps towards primary care cocommissioning CCGs have the opportunity to adopt one of three primary care commissioning modes: Level 1 full delegated responsibility for commissioning the majority of GP services; Level 2 joint commissioning responsibility with NHS England; and Level 3 greater involvement in GP commissioning decisions. The intention was to give CCGs more influence over the wider NHS budget and enable local health commissioning arrangements that can deliver improved, integrated care for local people, in and out of hospital. As CCGs take steps to move to an alternative Level we identified that the risk log from NHS England (which identifies quality issues with each practice) is not consistently received, not completed for every practice and data reported is not consistent with source information. This represents the risk that decisions on activities are made based on incorrect or incomplete data of GP practices. We also identified instances where payments had been made to practices where CCG approval had not been granted and had been sought retrospectively.

14 14 OTHER MANAGEMENT ACTIONS Fewer in number were high priority management actions relating to: cyber security and ensuring software is kept up to date and patches are utilised to prevent the organisation becoming exposed to malicious attack; in adhering to safeguarding standards, processes must be in place to ensure all appropriate members of CCG staff have a DBS check and that the DBS register is maintained; and the need to develop an effective engagement strategy detailing the CCG s approach to engagement with children and adolescents, minority groups and those with mental health conditions. COMMUNITY INTEREST COMPANIES Only four per cent of the organisations in our analysis were CICs and, whilst they are relatively small in population, they are increasingly driven by the need to ensure patients and communities receive the services they require. The majority of high priority management actions agreed with CICs relate to data quality and ensuring records are up to date and reliable, which is essential in operational performance management and overall governance. In particular, we agreed actions relating to: ensuring appropriate monitoring mechanisms are in place to ensure timely validation to care notes and obtaining data regarding those employees who have received process training; and ensuring the outcome of appointments are recorded promptly to ensure there are no incomplete clinical records but also to avoid any financial penalties from commissioners. THE FUTURE The sector must continue to navigate through a climate of fiscal restraint, focus on delivering excellence in patient care, and deal with the inevitable challenges posed by a post-brexit era and do so within a backdrop of a changing demographic. As the sector moves forward, and based on the risk profile of individual healthcare bodies, it will be interesting to see how board assurance frameworks are further developed to identify and secure those assurances required during 2017/18 and beyond.

15 15 Details of our sample A total of 818 internal audit reports from 86 NHS clients were reviewed for this analysis. In total 436 high priority management actions were made by our internal audit teams across 79 clients, as part of 234 internal audit reviews. Sources of further information i NHS Improvement Agency rules, Framework agreement approval: guidance for framework operators Framework_Operator_Guidance_Feb2017.pdf ii Prime Minister s Office The Queen s Speech iii NHS Improvement Performance of the NHS Provider Sector year ended 31 March M12_201617_provider_sector_performance_report_-_Fin_ Accts_-_FINAL.pdf Sir Robert Naylor NHS Property and Estates attachment_data/file/607725/naylor_review.pdf iv V RSM Wannacry no more? Cyber security in the NHS The Mid Staffordshire NHS Foundation Trust Public Inquiry Chaired by Robert Francis QC vi NHS England Managing conflicts of interest: Revised statutory guidance for CCGs vii

16 FOR MORE INFORMATION CONTACT Tim Merritt Head of Healthcare T +44(0) tim.merritt@rsmuk.com Nick Atkinson Risk Assurance Partner T +44(0) nick.atkinson@rsmuk.com rsmuk.com The UK group of companies and LLPs trading as RSM is a member of the RSM network. RSM is the trading name used by the members of the RSM network. Each member of the RSM network is an independent accounting and consulting firm each of which practises in its own right. The RSM network is not itself a separate legal entity of any description in any jurisdiction. The RSM network is administered by RSM International Limited, a company registered in England and Wales (company number ) whose registered office is at 50 Cannon Street, London EC4N 6JJ. The brand and trademark RSM and other intellectual property rights used by members of the network are owned by RSM International Association, an association governed by article 60 et seq of the Civil Code of Switzerland whose seat is in Zug. RSM Corporate Finance LLP, RSM Restructuring Advisory LLP, RSM Risk Assurance Services LLP, RSM Tax and Advisory Services LLP, RSM UK Audit LLP, RSM UK Consulting LLP, RSM Employer Services Limited, RSM Northern Ireland (UK) Limited and RSM UK Tax and Accounting Limited are not authorised under the Financial Services and Markets Act 2000 but we are able in certain circumstances to offer a limited range of investment services because we are members of the Institute of Chartered Accountants in England and Wales. We can provide these investment services if they are an incidental part of the professional services we have been engaged to provide. RSM Legal LLP is authorised and regulated by the Solicitors Regulation Authority, reference number , to undertake reserved and non-reserved legal activities. It is not authorised under the Financial Services and Markets Act 2000 but is able in certain circumstances to offer a limited range of investment services because it is authorised and regulated by the Solicitors Regulation Authority and may provide investment services if they are an incidental part of the professional services that it has been engaged to provide. Baker Tilly Creditor Services LLP is authorised and regulated by the Financial Conduct Authority for credit-related regulated activities. RSM & Co (UK) Limited is authorised and regulated by the Financial Conduct Authority to conduct a range of investment business activities. Whilst every effort has been made to ensure accuracy, information contained in this communication may not be comprehensive and recipients should not act upon it without seeking professional advice RSM UK Group LLP, all rights reserved Expires